Equifax was informed of system vulnerability in 2016
In October 2017, an anonymous security researcher informed Equifax that in December 2016 they had found a vulnerability in one of its public-facing websites that allowed them to access the personal data of every American, including full names, birthdates, city and state of residence, and social security numbers. Inputting a single search term, the researcher reported, would return millions of results, all in cleartext, almost instantly. The researcher was also able to obtain control of several Equifax servers and found others vulnerable to well-known, simple attacks such as SQL injection. It took the company until June 2017 to take the server down. At the end of July, Equifax announced a data breach affecting nearly 150 million people. In interviews, a number of current and former employees who declined to be identified commented on Equifax's lack of attention to security.
tags: Equifax, data breaches, security, hacking
writer: Lorenzo Franceschi-Bicchierai